Скачать презентацию Building Open Source Network Security Tools Invictus Ferramenta Скачать презентацию Building Open Source Network Security Tools Invictus Ferramenta

1c2ee64966c0d5401f03d079cd72b4c6.ppt

  • Количество слайдов: 76

Building Open Source Network Security Tools Invictus Ferramenta Mike Schiffman The RSA Conference, April Building Open Source Network Security Tools Invictus Ferramenta Mike Schiffman The RSA Conference, April 2003

Today’s Presentation is an Overview of This: Today’s Presentation is an Overview of This:

Agenda 1. Introduction and Overview 2. The Modular Model of Network Security Tools 3. Agenda 1. Introduction and Overview 2. The Modular Model of Network Security Tools 3. The Component and Technique Layers 4. Network Security Tool Classification 5. Active and Passive Reconnaissance Technique Details 6. Modeling Existing Tools 7. Inside a Network Security Tool: Firewalk Internals 8. Questions and Comments

Primer on Mike Schiffman • Researcher, Cisco Systems • Critical Infrastructure Assurance Group (CIAG), Primer on Mike Schiffman • Researcher, Cisco Systems • Critical Infrastructure Assurance Group (CIAG), Cisco Systems • Technical Advisory Board for Qualys, IMG Universal • Consulting Editor for Wiley & Sons • R&D, Consulting and Speaking background: • Firewalk, Libnet, Libsf, Libradiate, Various whitepapers and reports • Done time with: @stake, Guardent, Cambridge Technology Partners, ISS • Author: • Building Open Source Network Security Tools, Wiley & Sons • Hacker’s Challenge Book I, Osborne Mc. Graw-Hill • Hacker’s Challenge Book II, Osborne Mc. Graw-Hill

Overview • What you will learn today • A new model for conceptualizing and Overview • What you will learn today • A new model for conceptualizing and describing network security tools • How to apply this model to existing tools • How to use this model to rapidly build new tools • Common network security tool techniques and how they are codified • What you should already know • General understanding of the TCP/IP protocol suite • Primarily layers 1 – 3 (OSI layers 2 – 4) • General network security concepts • For example; the difference between packet sniffing and port scanning • The C programming language

Before we start… • Where should I spend my focus…? • Lots of material Before we start… • Where should I spend my focus…? • Lots of material • Show of hands… • Libnet • Libpcap • The Paradigm and NST terminology • Code?

Paradigm Overview Paradigm Overview

Technically Accurate. Not Tangible. What is a Network Security Tool? A network security tool Technically Accurate. Not Tangible. What is a Network Security Tool? A network security tool is an algorithmic implement that is esigned to probe, assess, or increase the overall safety of or mitigate We need something risk associated with an entity across a communications medium. better… (there is something better) Unwieldy. Too Clinical.

A (New) Paradigm • Functional • Tangible and Visual • Specifies a simple taxonomy A (New) Paradigm • Functional • Tangible and Visual • Specifies a simple taxonomy for grouping and ordering tools • Tool Classifications • Separates a network security tool into three layers or tiers • Component, Technique, Control • Hierarchical dependencies • An object at a higher layer has dependencies on one or more objects below it

The Modular Model of Network Security Tools The Modular Model of Network Security Tools

The Component Layer • Most fundamental layer • Answers the question “How does this The Component Layer • Most fundamental layer • Answers the question “How does this tool do what it does? ” • Task oriented and specific • Components tend to outlay the developmental requirements and restraints of the tool • Software Development Lifecycle • C programming libraries • Robust, portable and generally simple APIs • Libpcap, Libnet, Libsf, Libnids, Libdnet, Open. SSL

The Component Layer with Dependencies The Component Layer with Dependencies

The Technique Layer • Answers the question: “What does this tool do? ” • The Technique Layer • Answers the question: “What does this tool do? ” • More abstract and solution focused • The core essence of the tool is captured at this layer • When building or classifying tools, we start here • Class taxonomy is set at this layer • Packet Sniffing (Passive Reconnaissance) • Port Scanning (Active Reconnaissance) • Vulnerability Testing (Attack and Penetration) • Firewalling (Defensive)

Network Security Tool Taxonomy • Simple method allowing for tool grouping • Tied to Network Security Tool Taxonomy • Simple method allowing for tool grouping • Tied to the Technique Layer • Tools may certainly fit in more than one category (Venn diagram) • Passive Reconnaissance • Active Reconnaissance • Attack and Penetration • Defensive

The Technique Layer with Classification Bindings The Technique Layer with Classification Bindings

Classification Overview Classification Overview

Passive Reconnaissance Tools • Gather information in an ostensibly non-detectable or unobtrusive way • Passive Reconnaissance Tools • Gather information in an ostensibly non-detectable or unobtrusive way • Tend to have long lifecycles in terms of utility • Changes no state on the entity • Tcpdump • Ethereal • Mailsnarf

Active Reconnaissance Tools • Gather information in a detectable way, often by sending network Active Reconnaissance Tools • Gather information in a detectable way, often by sending network traffic and waiting for responses • Tend to have long lifecycles in terms of utility • Changes very little if any state on the entity • Firewalk • Strobe • Nmap • Traceroute

Attack and Penetration Tools • Test for the existence of and/or exploit vulnerabilities • Attack and Penetration Tools • Test for the existence of and/or exploit vulnerabilities • Tools can have a very limited lifetime • i. e. : Remote overflow in IIS version 5. 0 • Often supported by Reconnaissance Tools • Nessus • SSH CRC 32 overflow exploit • apache-scalp. c

Defensive Tools • Keeps an entity safe often by protecting data or detecting illicit Defensive Tools • Keeps an entity safe often by protecting data or detecting illicit activity • Tend to be more complex and have extended execution lifetimes • Snort • GPG • PF (packet filter on Open. BSD)

The Control Layer • General abstract “glue layer” • Can be thought of as The Control Layer • General abstract “glue layer” • Can be thought of as a delivery mechanism for techniques • Less concerned with security-related topics as with program cohesion • Not the focus of this presentation • Command Control • Reporting • Data Correlation and Storage

The Model and The Software Development Lifecycle The Model and The Software Development Lifecycle

Component Layer Details Libpcap Libnet Libnids Libsf Libdnet Open. SSL Component Layer Details Libpcap Libnet Libnids Libsf Libdnet Open. SSL

Component Layer Details: Libpcap • Library for packet capture and filtering • Support for Component Layer Details: Libpcap • Library for packet capture and filtering • Support for live capture and offline storage • Useful for building applications that need to do the following: • Network statistics collection • Network debugging • Security monitoring • Often found in active and passive reconnaissance tools

Typical Libpcap Usage Typical Libpcap Usage

Component Layer Details: Libnet • Library for packet construction and injection • Useful for Component Layer Details: Libnet • Library for packet construction and injection • Useful for building applications that need to do the following: • Network security testing • Network bandwidth testing • Network utility • Definitely the most debonair and sophisticated of the components – truly a discriminating programmer’s component • New version (1. 1. 1) is much more robust than its predecessors • Simple interface for novice users or • Powerful advanced interface • Often found in active reconnaissance and attack and penetration tools

Typical Libnet Usage Typical Libnet Usage

Libnet Supported Protocols Libnet Supported Protocols

Component Layer Details: Libnids • Library that simulates a NIDS E-box • An E-box’s Component Layer Details: Libnids • Library that simulates a NIDS E-box • An E-box’s job is to sample the environment in which it is specialized for, and convert occurrences in the environment into standard data objects for subsequent storage and/or analysis. • Built on top of libpcap and libnet • Offers the following: • IP defragmentation • TCP stream reassembly • Time-based TCP port scan detection • Often found in defensive tools

Component Layer Details: Libsf • Library for IP stack fingerprinting to perform remote OS Component Layer Details: Libsf • Library for IP stack fingerprinting to perform remote OS detection • Built on top of libpcap and libnet • active and passive fingerprinting methods • Based off of the nmap database and P 0 f databases • Often found in reconnaissance tools

Typical Libsf Usage Typical Libsf Usage

Libsf Active Fingerprinting Tests • Seven active tests can be performed using fringe packets: Libsf Active Fingerprinting Tests • Seven active tests can be performed using fringe packets: • TCP SYN to an open port • TCP NULL packet to an open port • TCP FIN|SYN|PSH|URG packet to an open port • TCP ACK packet to an open port • TCP SYN packet to a closed port • TCP ACK packet to a closed port • TCP FIN|PSH|URG to a closed port

Libsf Passive Fingerprinting Tests • Eight passive tests can be preformed across incoming TCP Libsf Passive Fingerprinting Tests • Eight passive tests can be preformed across incoming TCP SYN packets: • Determine original IP TTL • IP packet size • IP DF bit on or off • TCP window scale option present • TCP MSS option present • TCP SACK option present • TCP NOP option present • TCP window size

Component Layer Details: Libdnet • Library for miscellaneous low-level network routines • Robust network Component Layer Details: Libdnet • Library for miscellaneous low-level network routines • Robust network address manipulation • Kernel ARP cache lookup and manipulation • Kernel route table lookup and manipulation • Network interface lookup and manipulation • Network firewall rule manipulation • Ethernet frame and IP packet transmission • Binary buffer manipulation • Random number manipulation • Often found in all tools

Component Layer Details: Open. SSL • Library for SSL / TLS and general cryptography Component Layer Details: Open. SSL • Library for SSL / TLS and general cryptography • SSL/TLS protocols • Symmetric cryptographic operations (ciphers, message digests) • Asymmetric cryptographic operations (digital signatures, enveloping) • Public Key Infrastructure (PKI), including OCSP, rich X 509 certificate support, certificate verification, certificate requests, and CRLs • Often found in defensive tools

Technique Layer Details Packet Sniffing Port Scanning IP Expiry Firewalking Technique Layer Details Packet Sniffing Port Scanning IP Expiry Firewalking

Technique Layer Details: Packet Sniffing • Passive Reconnaissance Technique • Used to capture packets Technique Layer Details: Packet Sniffing • Passive Reconnaissance Technique • Used to capture packets on a network • Very powerful and useful in its own right • However it is also a fundamental building block in more complex tools • Ethernet • 1972, Bob Metcalfe, ALOHA became Ethernet • Shared medium (CSMA/CD) • Promiscuous mode instructs card to listen to every frame • Only works with stations in the same collision domain • Bridges, switches, routers, VLANS break sniffing

Technique Layer Details: Packet Sniffing • Packet Demultiplexing • Breaking apart an Ethernet frame Technique Layer Details: Packet Sniffing • Packet Demultiplexing • Breaking apart an Ethernet frame and passing it the protocol chain • Protocol Decoding • Dissection of the packet at a given OSI layer

Technique Layer Details: Packet Sniffing Processing Technique Layer Details: Packet Sniffing Processing

Sample Packet Sniffing Code Snippet packet = (u_char *)pcap_next(vp->p, &vp->h); /* * Figure out Sample Packet Sniffing Code Snippet packet = (u_char *)pcap_next(vp->p, &vp->h); /* * Figure out which layer 2 protocol the frame belongs to and call * the corresponding decoding module. The protocol field of an * Ethernet II header is the 13 th + 14 th byte. This is an endian * independent way of extracting a big endian short from memory. We * extract the first byte and make it the big byte and then extract * the next byte and make it the small byte. */ switch (vp->packet[12] << 0 x 08 | vp->packet[13]) { case 0 x 0800: /* IPv 4 */ decode_ip(&vp->packet[14], vp->flags); break; case 0 x 0806: /* ARP */ decode_arp(&vp->packet[14], vp->flags); break; default: /* We're not bothering with 802. 3 or anything else */ decode_unknown(&vp->packet[14], vp->flags); break; }

Technique Layer Details: Port Scanning • Active Reconnaissance Technique • Used to determine TCP Technique Layer Details: Port Scanning • Active Reconnaissance Technique • Used to determine TCP and UDP port status • Open, Closed, and optionally what application is listening • Many Considerations • Protocol • Detection and Filtering • Time and Bandwidth

Technique Layer Details: Port Scanning Mechanics • Full-open • Ident • FTP bounce • Technique Layer Details: Port Scanning Mechanics • Full-open • Ident • FTP bounce • Half-open • Side effect RST • Parallel • UDP • Stealth • FIN • XMAS (URG|ACK|PSH) • NULL • Fragmented IP

Technique Layer Details: Port Scanning Technique Layer Details: Port Scanning

Sample Port Scanning Code Snippet int fd, n, c; struct sockaddr_in addr; u_short port_list[] Sample Port Scanning Code Snippet int fd, n, c; struct sockaddr_in addr; u_short port_list[] = {22, 23, 25, 80, 6000, 0}; addr. sin_family = AF_INET; addr. sin_addr. s_addr = 0 x 200 a 8 c 0; /* 192. 168. 0. 2 in network byte order */ for (n = 0; port_list[n] != 0; n++) { addr. sin_port = htons(port_list[n]); fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (fd == -1) { /* error */ } c = connect(fd, (struct sockaddr *)&addr, sizeof (addr)); if (c == -1) { /* error */ } else if (c == 0) { printf("port %d openn", port_list[n]); } else { printf("port %d closedn", port_list[n]); } close(fd); }

Technique Layer Details: IP Expiry • Active Reconnaissance Technique • Used to map network Technique Layer Details: IP Expiry • Active Reconnaissance Technique • Used to map network devices en route to a target host • Van Jacobson, 1988, Traceroute • Originally used to trace IP packets to a particular destination host • Was extended into Firewalking

Technique Layer Details: IP Expiry Transports • Protocol specific terminal packet semantics • UDP Technique Layer Details: IP Expiry Transports • Protocol specific terminal packet semantics • UDP • Open port: undefined (no response) • Closed port: ICMP port unreachable • ICMP echo reply • TCP SYN • Open port: SYN|ACK • Closed port: RST

Technique Layer Details: IP Expiry Technique Layer Details: IP Expiry

c = libnet_write(l); if (c == -1) { /* error */ } fprintf(stderr, c = libnet_write(l); if (c == -1) { /* error */ } fprintf(stderr, "Hop %02 d: ", ttl); pcap_t *p; for (done = icmp = ip = 0, ttl = 1; ttl ip_p == struct libnet_ipv 4_hdr *ip_h, *oip_h; icmp); { /* libnet id */ char errbuf[LIBNET_ERRBUF_SIZE]; if (icmp == -1) icmp_h = (struct libnet_icmpv 4_hdr *)(packet + 34); { /* expired in transit */ l = libnet_init(LIBNET_RAW 4, NULL, errbuf); /* error */ if (icmp_h->icmp_type == ICMP_TIMXCEED && if (l == NULL) } icmp_h->icmp_code == ICMP_TIMXCEED_INTRANS) { ip = libnet_build_ipv 4( { /* error */ LIBNET_IPV 4_H + LIBNET_ICMPV 4_ECHO_H, /* length */ (struct libnet_ipv 4_hdr *)(packet + 42); oip_h = } 0, /* TOS */ if (oip_h->ip_id == htons(242)) p = pcap_open_live(device, 60, 0, 500, errbuf); 242, /* IP{ID */ if (p == NULL) 0, /* IP Frag */ fprintf(stderr, "%sn", { ttl, /* TTL */ libnet_addr 2 name 4(ip_h->ip_src. s_addr, 0)); /* error */ IPPROTO_ICMP, /* protocol */ break; } 0, /* checksum */ } src_ip, /* src ip */ } dst_ip, /* dst ip */ response */ /* terminal NULL, /* payload */ if (icmp_h->icmp_type == ICMP_ECHOREPLY) 0, /* payloadsiz*/ { l, /* context */ if (icmp_h->icmp_id == 242 && icmp_h->icmp_seq == ttl) ip); /* libnet id */ { if (ip == -1) fprintf(stderr, "%sn", { libnet_addr 2 name 4(ip_h->ip_src. s_addr, 0)); /* error */ done = 1; } break; } } Sample IP Expiry Code Snippet

Technique Layer Details: Firewalking • Active Reconnaissance Technique • Based off of IP expiry Technique Layer Details: Firewalking • Active Reconnaissance Technique • Based off of IP expiry • Used to determine ACL filtering rules on a packet forwarding device • Schiffman, Goldsmith, 1998

Technique Layer Details: Firewalking • Send out a TCP or UDP packet with an Technique Layer Details: Firewalking • Send out a TCP or UDP packet with an IP TTL one greater of the target gateway • Packet passed by gateway ACL: ICMP TTL expired in transit • Packet denied by gateway: No response • Requires two hosts, target and metric • Target is the target gateway to be scanned • Metric is a host or gateway downstream from the target • Doesn’t have to be reachable

Technique Layer Details: Firewalking Technique Layer Details: Firewalking

Technique Layer Details: Firewalking (Phase One: Hopcount Ramping) Technique Layer Details: Firewalking (Phase One: Hopcount Ramping)

Technique Layer Details: Firewalking (Phase Two: Scanning, Packet is not Filtered) Technique Layer Details: Firewalking (Phase Two: Scanning, Packet is not Filtered)

Technique Layer Details: Firewalking (Phase Two: Scanning, Packet is Filtered) Technique Layer Details: Firewalking (Phase Two: Scanning, Packet is Filtered)

Firewalk Packet Loss • Packets can be dropped for a variety of reasons • Firewalk Packet Loss • Packets can be dropped for a variety of reasons • IP is an unreliable network • However, what if there is a prohibitive filter on a gateway prior to the target? • We would get false negatives reporting our packet is being filtered on the target when in fact it is being filtered by another host…

Technique Layer Details: Firewalking (Phase Two: Early Filtering of Packets) Technique Layer Details: Firewalking (Phase Two: Early Filtering of Packets)

Firewalk Early Packet Filtering Solution • We have two solutions: • Performing a “creeping Firewalk Early Packet Filtering Solution • We have two solutions: • Performing a “creeping walk” on each intermediate hop en route to the target. This will determine which gateway has the prohibitive filter • Physically relocate the scanning host to another part of the network so it no longer has to pass through the prohibitive filter in question • This may not always be an option

Firewalk Adjacent Target and Metric • Target and metric and topologically adjacent • Metric Firewalk Adjacent Target and Metric • Target and metric and topologically adjacent • Metric is exactly one hop downstream from the target • If packet violates ACL, nothing happens out of the ordinary • Scan times out and ACL is noted • If packet is passed by the target, it is processed as per RFC 1122 • Results vary, but packet is generally processed as per the protocol specific terminal packet semantics as with IP expiry • Using this, additional scanning can be performed

Technique Layer Details: Firewalking (Phase Two: Scanning, Adjacent Target and Metric) Technique Layer Details: Firewalking (Phase Two: Scanning, Adjacent Target and Metric)

Modeling Existing Tools Modeling Existing Tools

Traceroute Modeled Traceroute Modeled

The Firewalk Tool Modeled The Firewalk Tool Modeled

Inside a Network Security Tool: Firewalk Internals Inside a Network Security Tool: Firewalk Internals

Firewalk Overall Flow fw_shutdown(&fp); usage(argv[0]); #if (HAVE_CONFIG_H) /* probably record proper exit status */ Firewalk Overall Flow fw_shutdown(&fp); usage(argv[0]); #if (HAVE_CONFIG_H) /* probably record proper exit status */ break; we shouldbreak; #include ". . /include/config. h" return (EXIT_SUCCESS); case 'i': default: #endif } /* interface */ usage(argv[0]); #include ". . /include/firewalk. h" fp->device = optarg; }". . /version. h" #include void} break; int usage(u_charcase 'n': c = argc *argv 0) - optind; firewalk(struct firepack **fp) names */ int { if (c != 2) /* do not use { main(int argc, char "Usage&= ~FW_RESOLVE; target_gateway metricn" fprintf(stderr, *argv[]) %s [options] fp->flags : { { int done, i, [-d %d - %d] destination port to use (ramping phase)n" j; "tt break; /* bport, cport, eport; u_short int c; case[-h] program helpn" "tt should only have two arguments 'p': * We struct firepack select firewalk protocol */ at this point, the target "tt [-i *fp; the metric. /* device] * gateway = NULL; interfacen" /* inform char"tt the user what's= what */ addresses into hostnamesn" *port_list and not resolve IP fp->protocol [-n] do fw_prot_select(optarg); */ printf("%s-based. TCP | UDP] firewalk protocoln" char"tt errbuf[FW_ERRBUF_SIZE]; [-p scan. n", break; usage(argv[0]); (*fp)->protocol == IPPROTO_TCP ? "TCP" : "UDP"); "tt case[-r] strict RFC adherencen" 'r': } printf("Ramping. Strict source ACL %d, destination port: % printf("Firewalkphase[gatewayport: scanner]n"); dn", "tt [-S x 5. 0 RFC port range to /* z] adherence /* initialize the - y, (*fp)->dport); */ scann" network components */ (*fp)->sport, %d] FW_STRICT_RFC; "tt fp->flagsargv[optind], argv[optind + 1], port_list) == [-s %d - |= source portn" if (fw_init_net(&fp, if /* ((*fp)->flags 1&-FW_STRICT_RFC read timeout in msn" IPPROTO_TCP) [-T break; 1000] packet && (*fp)->protocol == 1) {* "tt Initialize the- main control context. We keep all of our "tt case[-t 1 'S': %d] {* printf("Using strict IP time to liven" just about every program [-v] program RFC adherence. n"); state here andports is used by this */ "tt /* scan theseversionn" fprintf(stderr, "fw_init_network(): %sn", fp->errbuf); }* functionport_list = optarg; vectorn" in 1 - %d] expire the program. "tt [-x printf("Hotfoot through %s using FW_PORT_MAX, FW_PORT_MIN, */ goto done; "n", argv 0, break; FW_PORT_MIN, %s as a metric. n", } (fw_init_context(&fp, errbuf) == -1) if libnet_addr 2 name 4(((* fp)->gateway), FW_PORT_MAX, case 's': state initialization completed successfully. n"); printf("Firewalk { ((*fp)->flags) & FW_RESOLVE), FW_IP_HOP_MAX, and hopefully phase two */ /* source one, FW_XV_MAX); /* execute scan: phaseport */ fprintf(stderr, "fw_init_control(): %sn", errbuf); libnet_addr 2 name 4(((* fp)->metric), exit(EXIT_SUCCESS); fp->sport switch (firewalk(&fp)) =&fw_str 2 int(optarg, "source port", goto ((*fp)->flags) done; FW_RESOLVE)); } FW_PORT_MIN, FW_PORT_MAX); { /* } case -1: break; * PHASE ONE: Firewalk hopcount ramping /* EOF */ case 'T': /* process commandline arguments. IP expiry scan is initiated towards * case FW_SERIOUS_ERROR: for packets from other end */ A standard Traceroute-style */ /* time to wait some while ((c =grievous errorargv, "d: fhi: no: p: r. S: s: T: t: vx: ")) != EOF) * the /* getopt(argc, intent being to find how many hops timer", metric, fp->pcap_timeout = sort */ with the of fw_str 2 int(optarg, "read away the fprintf(stderr, "firewalk(): %sn", fp->errbuf); {* target gateway is from the scanning host. We'll increment the FW_PCAP_TIMEOUT_MIN, FW_PCAP_TIMEOUT_MAX); break; * hopcounter and update packet template each pass through theloop. switch (c) break; case FW_ABORT_SCAN: */ { case 't': /* hop Phase: n"); printf("Rampingcount exceeded or metric en route */ case/* set initial IP TTL */ 'd': fprintf(stderr, "Scan aborted: %s. n", ramping phase */ for (done = fp->ttl 0; fw_str 2 int(optarg, "initial TTL", 0, i = = !done && /* destination portito use during fp->errbuf); < FW_IP_HOP_MAX; i++) break; { fp->dport = fw_str 2 int(optarg, "ramping destination FW_IP_HOP_MIN, FW_IP_HOP_MAX); port", case FW_USER_INTERRUPT: /* send a series of probes (currently one) */ break; fprintf(stderr, j++) for case 'v': < FW_PORT_MIN, FW_PORT_MAX); (j = 0; j 1; "Scan aborted by user. n"); break; { break; default: /* version */ fprintf(stderr, "%2 d "version : %sn", VERSION); caseprintf(FW_BANNER (TTL %2 d): ", i + 1, (*fp)->ttl); 'f': printf("n. Scan completed == -1) host */ if (fw_packet_inject(fp) successfully. n"); /* stack fingerprint of each goto done; break; { casefp->flags |= FW_FINGERPRINT; 'x': } /* break; /* expire vector */ done: casefp->xv = * Perhaps this write error was transient. We'll hope 'h': vector", fw_report_stats(&fp); fw_str 2 int(optarg, "expire and continue. /* program help */ Inform the user * for the best. FW_XV_MAX); FW_XV_MIN,

Firewalk Initialization int setup the metric */ /* /* /*/* get the datalink size Firewalk Initialization int setup the metric */ /* /* /*/* get the datalink size */ fw_init_net(struct firepack **fp, char *gw, char *m, char *port_list) if (((*fp)->metric = libnet_name 2 addr 4((*fp)->l, m, 1)) == -1) filter * Set pcap filter and determine outgoing packet size. The *switch (pcap_datalink((*fp)->p)) We'll use this packet template Build a probe packet template. { { * will be determined by the scanning protocol: int *{ over and over for each write to the network, modifying certain #if HAVE_BPF scan: *snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, UDP * fields DLT_SLIP: UDP/TCP ports and *errbuf) case (IP TTL, fw_init_context(struct firepack **fp, charof course checksums as we go). int*one; icmp[0] == 11 or icmp[0] == %sor udp "libnet_name 2 addr 4(): 3 (metric: %s)", */ (*fp)->packet_offset = 0 x 10; { #endif * TCP scan: libnet_geterror((*fp)->l), m); if = (struct firepack *)malloc(sizeof(struct firepack)); break; *fp(fw_packet_build_probe(fp) == -1) charreturn (-1); 11 or icmp[0] == 3 or tcp[14] == 0 x 12 or tcp[14] * errbuf[PCAP_ERRBUF_SIZE]; icmp[0] == { case DLT_RAW: if (*fp == NULL) } * == 0 x 4 or tcp[14] == 0 x 14 /* error msg set in fw_packet_build_probe() */ (*fp)->packet_offset = 0 x 00; { /* get a libnet context */ */ returnbreak; (-1); snprintf(errbuf, FW_ERRBUF_SIZE, "malloc(): %s", strerror(errno)); /*switch ((*fp)->protocol) (*fp)->l =check */ sanity libnet_init(LIBNET_LINK, (*fp)->device, errbuf); } case DLT_PPP: return (-1); if{((*fp)->l == NULL) (*fp)->metric) ((*fp)->gateway == return (1); (*fp)->packet_offset = 0 x 04; } { case IPPROTO_UDP: break; memset(*fp, 0, sizeof(struct firepack)); snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, "libnet_init(): -1) if (fw_set_pcap_filter(FW_BPF_FILTER_UDP, fp) == %s", case DLT_EN 10 MB: { errbuf); gateway and metric cannot be the same"); "target /* setdefault: here */ defaults return (-1); err msg set in fw_set_pcap_filter() */ /* = initial probe IP TTL */ (*fp)->ttl(*fp)->packet_offset /*0 x 0 e; = 1; } return (-1); break; (*fp)->sport = 53; /* source port (TCP and UDP) */ } } (*fp)->dport = 33434; /* ala traceroute */ /* get our/* IP list the user didn't*/ port + UDP */ device if stuff situated specify one*/ (*fp)->protocol = IPPROTO_UDP; if ((*fp)->device == NULL) (libnet_plist_chain_new((*fp)->l, &(*fp)->plist, (*fp)->packet_size = LIBNET_IPV 4_H + LIBNET_UDP_H; (*fp)->id = getpid(); { port_list == NULL ? strdup(FW_DEFAULT_PORT_LIST) : break; (*fp)->pcap_timeout = FW_REPLY_TIMEOUT; port_list) == -1) (*fp)->device = libnet_getdevice((*fp)->l); case IPPROTO_TCP: (*fp)->xv = 1; { } if (fw_set_pcap_filter(FW_BPF_FILTER_TCP, fp) == -1) (*fp)->flags |= FW_RESOLVE; snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, { /* get the sourceerr msg set ourfw_set_pcap_filter()*/ "libnet_plist_chain_new(): %sn", interface */ /* address of in outgoing libnet_geterror((*fp)->l)); /* setup our signal handler to handle a ctrl-c */ (*fp)->sin. sin_addr. s_addr = libnet_get_ipaddr 4((*fp)->l); return (-1); if (catch_sig(SIGINT, catch_sigint) == -1) } } { /* setup the target gateway */ get a pcap. IP + TCP */ /* context snprintf(errbuf, FW_ERRBUF_SIZE, "catch_sig(): %s", (*fp)->p =(*fp)->packet_size = LIBNET_IPV 4_H + LIBNET_TCP_H; if (((*fp)->gateway = libnet_name 2 addr 4((*fp)->l, gw, 0, 0, == -1) pcap_open_live((*fp)->device, FW_SNAPLEN, 1)) errbuf); strerror(errno)); if { (((*fp)->p) == NULL) return (-1); { snprintf((*fp)->errbuf, TCP sequence number */ /* randomize the FW_ERRBUF_SIZE, } snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, "pcap_open_live(): %s", libnet_seed_prand((*fp)->l); "libnet_name 2 addr 4(): %s (target gateway: %s)", (*fp)->seq = libnet_get_prand(LIBNET_PRu 32); errbuf); libnet_geterror((*fp)->l), gw); return (1); returnbreak; (-1); } } default: sprintf((*fp)->errbuf, "fw_init_network(): unsupported protocol"); return (-1); }

Firewalk Packet Construction int a = arp_open(); fw_packet_build_tcp(struct firepack **fp) fw_packet_build_probe(struct firepack **fp) if Firewalk Packet Construction int a = arp_open(); fw_packet_build_tcp(struct firepack **fp) fw_packet_build_probe(struct firepack **fp) if (a == NULL) { /* /*{build our IPv 4 header */ /**build we need to get arp_t. Now a TCP header */the MAC address of our first hop gateway. *a; (*fp)->ip = libnet_build_ipv 4( snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, "arp_open()"); (*fp)->tcpto the rescue! We start by doing a route table lookup route_t *r; = libnet_build_tcp( * Dnet return (-1); (*fp)->packet_size, /* packetlength */ * to (*fp)->sport, determine the struct arp_entry arp; IP address we use to get source TCP port */ /* to the 0, /* IP tos */ } * destination host (the struct route_entry route; metric). (*fp)->dport, /* dest TCP port */ (*fp)->id, /* IP id */ /* get the MAC of the first hop gateway */ */ (*fp)->seq, /* sequence number */ arp_pa = route_gw; 0, /* IP frag bits */ /* first 0 L, r = route_open(); transport layer header *//* ACK number */ build our if (arp_get(a, &arp) < 0) (*fp)->ttl, /* IP time to live */ switch ((*fp)->protocol) if (r == NULL) TH_SYN, /* control flags */ { (*fp)->protocol, /* transport protocol */ {{ 1024, /* window size */ snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, "route_get()"); 0, /* checksum */ case 0, IPPROTO_UDP: snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, /* checksum */ "route_open()"); arp_close(a); (*fp)->sin. sin_addr. s_addr, /* IP source */ route_close(r); 0, if (fw_packet_build_udp(fp) == -1) /* urgent */ return (-1); (*fp)->metric, /* IP destination */ return (-1); (*fp)->packet_size - LIBNET_IPV 4_H, /* TCP size */ { } NULL, /* IP payload */ } NULL, error msg set in fw_packet_build_udp() */ */ /* /* IP payload arp_close(a); 0, /* IP payload size */ 0, return (-1); /* IP payload size */ (*fp)->l, /* libnet context */ /* convert the metric address to dnet's nativelibnet context */ (*fp)->l, } /* addr_t format /* build our ethernet header */ 0); /* No saved ptag */ if (addr_aton(libnet_addr 2 name 4((*fp)->metric, No saved ptag */ 0); break; /* 0), if (libnet_autobuild_ethernet( case IPPROTO_TCP: &route_dst) < 0) if ((*fp)->ip == -1) (u_char *)&arp. arp_ha. addr_eth, if ((*fp)->tcp == -1) { if (fw_packet_build_tcp(fp) == -1) { ETHERTYPE_IP, { snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, "addr_aton()"); { snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, "libnet_build_ipv 4() %s", (*fp)->l) == -1) snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, "libnet_build_tcp() %s", route_close(r); msg set in fw_packet_build_tcp() */ /* error { libnet_geterror((*fp)->l)); return (-1); libnet_geterror((*fp)->l)); snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, return (-1); } } "libnet_autobuild_ethernet() %s", }/* get break; the route entry telling us how to reach the metric */ libnet_geterror((*fp)->l)); return (1); if default: (route_get(r, &route) < 0) arp_close(a); } { sprintf((*fp)->errbuf, return (-1); snprintf((*fp)->errbuf, FW_ERRBUF_SIZE, "route_get()"); "fw_packet_build_probe(): unknown protocol"); } route_close(r); return (-1); } return (-1); return (1); } } route_close(r);

Firewalk Ramping Phase /* if (!done) (fw_packet_capture(fp)) switch * PHASE ONE: Firewalk hopcount ramping Firewalk Ramping Phase /* if (!done) (fw_packet_capture(fp)) switch * PHASE ONE: Firewalk hopcount ramping { { * A standard Traceroute-style IP expiry scan== -1) if (fw_packet_update_probe(fp, 0) is initiated towards case FW_PACKET_IS_UNREACH_EN_ROUTE: * the metric, with the intent being to find how many hops away the { case FW_PACKET_IS_TTL_EX_EN_ROUTE: * target gateway is from the scanning. FW_BOUND) /* error msg set in fw_packet_update_probe */ the if ((*fp)->flags & host. We'll increment * hopcounter and update packet template each pass through the loop. return (-1); { */ } printf("Binding host reached. n"); printf("Ramping Phase: n"); = 1; } done for (done = 0, i = 0; !done && i < FW_IP_HOP_MAX; i++) } } { if (done && !((*fp)->flags & FW_BOUND)) break; /* send a series of probes (currently one) */ { case FW_PACKET_IS_TERMINAL_TTL_EX: for (j = 0; j < 1; j++) /* case FW_PACKET_IS_TERMINAL_UNREACH: { * If we're FW_PACKET_IS_TERMINAL_SYNACK: hit the metric case "done" but not "bound" then we fprintf(stderr, "%2 d (TTL %2 d): ", i + 1, (*fp)->ttl); target * before we. FW_PACKET_IS_TERMINAL_RST: This means the case hit the target gateway. if (fw_packet_inject(fp) == -1)the metric. end phaseover */ * gateway /* any terminal response will is not en route to Game's one kids. {*/ done = 1; sprintf((*fp)->errbuf, /* break; * Perhaps this writebefore was transient. We'll hope "metric case -1: responded error target; must not be en route"); return (FW_ABORT_SCAN); Inform the user and continue. * for the best. case FW_SERIOUS_ERROR: } */ /* err msg set in fw_packet_capture() */ if (!done) fprintf(stderr, (FW_SERIOUS_ERROR); return "fw_packet_inject(): %sn", { case(*fp)->errbuf); FW_USER_INTERRUPT: /* if we fall through down here, we've exceeded our hopcount */ continue; user hit ctrl-c */ /* } sprintf((*fp)->errbuf, "hopcount exceeded"); return (FW_USER_INTERRUPT); return (FW_ABORT_SCAN); } } }

Firewalk Scanning Phase /* send a series of probes (currently one) */ /* for Firewalk Scanning Phase /* send a series of probes (currently one) */ /* for (j = 0; j < 1; j++) * PHASE TWO: Firewalk scanning { * A series of probes are sent from to the", cport); fprintf(stderr, "port %3 d: metric with the bound IP * TTL. If a given probe is accepted through the target gateway's (*fp)->stats. ports_total++; * ACL, we willif (fw_packet_inject(fp) == -1) transit from the receive an ICMP TTL expired in * binding host{If we receive no response after the timeout expires, * it is assumed the probe violated the ACL on the target and was /* * dropped. * Perhaps this write error was transient. We'll */ * hope for the best. Inform the user and continue. */ (*fp)->ttl += (*fp)->xv; printf("Scan bound at %d hops. n", (*fp)->ttl); fprintf(stderr, "fw_packet_inject(): %sn", printf("Scanning Phase: n"); (*fp)->errbuf); for (done = 0, i = 0; !done; i++) continue; { } if (!libnet_plist_chain_next_pair((*fp)->plist, &bport, &eport))*/ /* we don't care what the return value is this time { switch(fw_packet_capture(fp)) /* we've{exhausted our portlist and we're done */ done = 1; case FW_USER_INTERRUPT: continue; return (FW_USER_INTERRUPT); } case -1: while (!(bport >case FW_SERIOUS_ERROR: eport) && bport != 0) { /* err msg set in fw_packet_capture() */ cport = bport++; return (FW_SERIOUS_ERROR); if (fw_packet_update_probe(fp, cport) == -1) default: { /* empty */ /* error msg set in fw_packet_update_probe */ } } return (-1); } } return (1); }

Firewalk Capture switchfor (timed_out = 0; &!timed_out &&fw_packet_verify_ramp(fp) : (!(((*fp)->flags) FW_BOUND) ? loop; ) Firewalk Capture switchfor (timed_out = 0; &!timed_out &&fw_packet_verify_ramp(fp) : (!(((*fp)->flags) FW_BOUND) ? loop; ) casefw_packet_verify_scan(fp)) FW_PORT_IS_OPEN_RST: { /* SCANNING: { c = select(pcap_fd. A+response from a 0, 0, &timeout); */ 1, &read_set, closed TCP port switch. FW_PACKET_IS_TTL_EX_EN_ROUTE: fp); casefw_report(FW_PORT_IS_OPEN_RST, (c) (*fp)->stats. packets_caught_interesting++; (standard) */ { /* RAMPING: TTL expired en route to gateway return case -1: (FW_PORT_IS_OPEN_RST); fw_report(FW_PACKET_IS_TTL_EX_EN_ROUTE, fp); case(*fp)->stats. packets_caught_interesting++; FW_PORT_IS_OPEN_UNREACH: FW_ERRBUF_SIZE, snprintf((*fp)->errbuf, /* SCANNING: A port unreachable response */ return (FW_PACKET_IS_TTL_EX_EN_ROUTE); "select() %s", strerror(errno)); casefw_report(FW_PORT_IS_OPEN_UNREACH, fp); FW_PACKET_IS_UNREACH_EN_ROUTE: return (-1); (*fp)->stats. packets_caught_interesting++; case. RAMPING: Unreachable en route to gateway (uncommon) */ /* 0: return (FW_PORT_IS_OPEN_UNREACH); fw_report(FW_PACKET_IS_UNREACH_EN_ROUTE, fp); timed_out = 1; case(*fp)->stats. packets_caught_interesting++; FW_PORT_IS_OPEN_TTL_EX: continue; /* SCANNING: A TTL expired */ default: (FW_PACKET_IS_TTL_EX_EN_ROUTE); return casefw_report(FW_PORT_IS_OPEN_TTL_EX, fp); 0) FW_PACKET_IS_TERMINAL_TTL_EX: if (FD_ISSET(pcap_fd, &read_set) == (*fp)->stats. packets_caught_interesting++; /* { RAMPING: TTL expired at destination (rare) */ return timed_out = 1; (FW_PORT_IS_OPEN_TTL_EX); fw_report(FW_PACKET_IS_TERMINAL_TTL_EX, fp); case(*fp)->stats. packets_caught_interesting++; FW_PACKET_IS_BORING: continue; default: return (FW_PACKET_IS_TERMINAL_TTL_EX); } casecontinue; through to read the packet */ FW_PACKET_IS_TERMINAL_UNREACH: /* fall } } /* RAMPING: Unreachable at destination (uncommon) */ } (*fp)->packet = (u_char *)pcap_next((*fp)->p, &pc_hdr); fw_report(FW_PACKET_IS_TERMINAL_UNREACH, fp); if ((*fp)->packet == NULL) (*fp)->stats. packets_caught_interesting++; { return (FW_PACKET_IS_TERMINAL_UNREACH); case FW_PACKET_IS_TERMINAL_SYNACK: /* no NULL packets please */ continue; fw_report(FW_PACKET_IS_TERMINAL_SYNACK, fp); } (*fp)->stats. packets_caught_interesting++; (*fp)->stats. packets_caught++; return (FW_PACKET_IS_TERMINAL_SYNACK); case FW_PACKET_IS_TERMINAL_RST: fw_report(FW_PACKET_IS_TERMINAL_RST, fp); (*fp)->stats. packets_caught_interesting++; return (FW_PACKET_IS_TERMINAL_RST); case FW_PORT_IS_OPEN_SYNACK: /* SCANNING: A response from an open TCP port */ fw_report(FW_PORT_IS_OPEN_SYNACK, fp); (*fp)->stats. packets_caught_interesting++; return (FW_PORT_IS_OPEN_SYNACK);

Firewalk Packet Verification (ramping phase) Firewalk Packet Verification (ramping phase)

Firewalk Packet Verification (Scanning Phase) Firewalk Packet Verification (Scanning Phase)

Conclusion • Modular Model of Network Security Tools • Components and Techniques • This Conclusion • Modular Model of Network Security Tools • Components and Techniques • This was not an exhaustive list of Components or Techniques… • Examples of how to code Techniques using Components

Questions and Comments? mike@infonexus. com http: //www. packetfactory. net Questions and Comments? [email protected] com http: //www. packetfactory. net